2023-2024第13届新华三杯全国大学生数学技术大赛高职赛题

我恨路由交换！虐我千百遍却对他依旧保持更新态度！

本人今年第一次参加华三杯一路打怪升级到总决赛，这次高职组的大赛对我来说相较于去年简单了不止一点，去年的题我也做了很多遍包含了（MPLSVPN，防火墙），但今年的大赛题目，我知道考过IE实验的同志们一眼就看出这是旧版IE-labA的简化版，唯一难点就是gre over ipsec的野蛮模式配置，其他MSTP,OSPF,VRRP,链路聚合没有难度，本人也是有幸获得全国总决赛的高职组-个人赛-一等奖，没有在模拟面试超过别人很遗憾没有获得特等奖，希望我的学弟能够在明年拿到！

1.配置需求

1.1整个企业应用分为两种业务，a流192.168.0.0/24和b流10.1.0.0/16

1.2S1\S2\S3之间的trunk端口配置时可以允许所有all 通过，或允许具体vlan通过

1.3S1---S2之间配置链路聚合，并且聚合端口要配置为trunk

1.4S1\S2\S3之间配置mstp单域多实例使得a流优先从sw1转发，b流优先通过sw2转发

1.5S1\S2\S3MSTP开启根桥保护和环路保护

1.6S1---S2之间运行vrrp，a流使用sw1作为vrrp 的mast，b流使用sw2作为vrrp的mast

1.7R3连接互联网S5的接口地址，由互联网动态分配，总部R1连接互联网的接口地址为静态分配

1.8S1/S2/R1/R2之间运行ospf路由协议区域0，R1/R5之间运行ospf路由协议协议10，R2/R4之间运行ospf路由协议区域10,S1/S2/R1/R2互联接口配置P2P，实现快速收敛

1.9为实现R3和总部以及R4的互通，需要在r1上进行ospf0和ospf10的相互引入

1.10R3总部R1互访通过 gre over ipsec实现，为降低ipsec配置的复杂性，需要使用ipsec模板进行配置

1.11S5模拟互联网，需要访问互联网的节点通过缺省路由，并在出口路由器上进行nat来实现

1.12总部b流提供一台服务器，内网地址为10.1.1.100 对应的互联网地址为100.1.1.100.要求能够从互联网进行各类业务的访问

2.组网图

3.重点配置步骤

3.1S1/S2/S3 MSTP配置

[S1]stp region-configuration 
[S1-mst-region]region-name h3c 
[S1-mst-region]instance 1 vlan 20
[S1-mst-region]instance 2 vlan 20
[S1-mst-region]active region-configuration         #S1/S2/S3配置一样确保属于同一个MST

[S1]stp instance 1 root primary                                 
[S1]stp instance 2 root secondary                       #S1vlan10根vlan20备份根

[S2]stp instance 1 root secondary 
[S2]stp instance 2 root primary                            #S2vlan10备份根vlan20根

[S3]int range g1/0/21 to g1/0/22
[S3-if-range]stp loop-protection                            #S3配置环路保护

[S1]int g1/0/21
[S1-GigabitEthernet1/0/21]stp root-protection      #聚合口配置环路保护，指定端口根保护
[S1-Bridge-Aggregation1]stp loop-protection 

[S2]int g1/0/22
[S2-GigabitEthernet1/0/22]stp root-protection
[S2-Bridge-Aggregation1]stp loop-protection 

3.2S1---S2VRRP配置

[S1]int vlan 10
[S1-Vlan-interface10]vrrp vrid 100 virtual-ip 192.168.10.254 
[S1-Vlan-interface10]vrrp vrid 100 priority 150
[S1]int vlan 20
[S1-Vlan-interface20]vrrp vrid 200 virtual-ip 192.168.20.254 
[S1-Vlan-interface20]vrrp vrid 200 priority 100
[S2]int vlan 10
[S2-Vlan-interface10]vrrp vrid 100 virtual-ip 192.168.10.254 
[S2-Vlan-interface10]vrrp vrid 100 priority 100
[S2]int vlan 20
[S2-Vlan-interface20]vrrp vrid 200 virtual-ip 192.168.20.254 
[S2-Vlan-interface20]vrrp vrid 200 priority 150

3.3R3--S5DHCP配置

[S5]dhcp enable

[S5]dhcp server ip-pool 1
[S5-dhcp-pool-1]network 100.1.3.0 mask 255.255.255.0
[S5-dhcp-pool-1]gateway-list 100.1.3.254 

[R3]int g0/0
[R3-GigabitEthernet0/0]ip address dhcp-alloc 

3.4R1--R3gre over ipsec配置

[R1]ip route-static 0.0.0.0 0 100.1.1.254
[R1]ike proposal 1
[R1]ike keychain 1
[R1-ike-keychain-1]pre-shared-key hostname R3 key simple h3c123
[R1]ike profile 1
[R1-ike-profile-1]proposal 1
[R1-ike-profile-1]keychain 1
[R1-ike-profile-1]match remote identity fqdn R3
[R1-ike-profile-1]local-identity fqdn R1
[R1-ike-profile-1]exchange-mode aggressive 
[R1]ipsec transform-set 1
[R1-ipsec-transform-set-1]esp authentication-algorithm md5 
[R1-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc 
[R1]ipsec policy-template R3 1
[R1-ipsec-policy-template-R3-1]transform-set 1
[R1-ipsec-policy-template-R3-1]ike-profile 1
[R1]ipsec policy fengbu 1 isakmp template R3
[R1]int g0/1
[R1-GigabitEthernet0/1]ipsec apply policy fengbu

[R1]int Tunnel 0 mode gre
[R1-Tunnel0]ip address 10.255.13.1 30
[R1-Tunnel0]source 192.168.255.1
[R1-Tunnel0]destination 192.168.255.3 
[R1-Tunnel0]keepalive 10 

[R3]acl advanced 3000
[R3-acl-ipv4-adv-3000]rule 0 permit ip source 192.168.255.3 0 destination 192.16
8.255.1 0 

[R3]ike proposal 1
[R3]ike keychain 1
[R3-ike-keychain-1]pre-shared-key address 100.1.1.1.1 key simple h3c123
[R3]ike profile 1
[R3-ike-profile-1]proposal 1
[R3-ike-profile-1]keychain 1
[R3-ike-profile-1]match remote identity fqdn R1
[R3-ike-profile-1]local-identity fqdn R3
[R3-ike-profile-1]exchange-mode aggressive 
[R3]ipsec transform-set 1
[R3-ipsec-transform-set-1]esp authentication-algorithm md5 
[R3-ipsec-transform-set-1]esp encryption-algorithm 3des-cbc 

[R3]ipsec policy 1 1 isakmp 
[R3-ipsec-policy-isakmp-1-1]transform-set 1 
[R3-ipsec-policy-isakmp-1-1]security acl 3000
[R3-ipsec-policy-isakmp-1-1]remote-address 100.1.1.1
[R3-ipsec-policy-isakmp-1-1]ike-profile 1

[R3]int g0/0
[R3-GigabitEthernet0/0]ipsec apply policy 1

[R3]int Tunnel 0 mode gre
[R3-Tunnel0]ip address 10.255.13.2 30
[R3-Tunnel0]source 192.168.255.3 
[R3-Tunnel0]destination 192.168.255.1
[R3-Tunnel0]keepalive 10

3.5R1静态NAT配置

[R1]nat static outbound 10.1.1.100 100.1.1.100
[R1]int g0/1
[R1-GigabitEthernet0/1]nat static enable 
[R1]ospf 
[R1-ospf-1]default-route-advertise

4.设备IP地址

R1	GE0/0     10.255.111.1/30    GE0/1     100.1.1.1/24       GE0/2     10.255.12.1/30    Loop0     192.168.255.1/32    Tun0       10.255.13.1/30
R2	GE0/0        10.255.25.1/30      GE0/1        10.255.122.1/30     GE0/2        10.255.12.2/30        Loop0        192.168.255.2/32
R3	GE0/0        100.1.3.1/24      Loop0        192.168.255.3/32   Loop10      192.168.102.254/24  Loop20      10.101.2.254/32    Tun0          10.255.13.2/30
R4	GE0/0        10.255.25.2/30         Loop0        192.168.255.4/32    Loop1        192.168.11.1/24   Loop2        10.11.0.0/16
S1	Loop0        192.168.255.11   Vlan10       192.168.0.253    Vlan20       10.1.0.252       Vlan30       10.255.212.1     Vlan40       10.255.111.2
S2	Loop0        192.168.255.12 Vlan10       192.168.0.252  Vlan20       10.1.0.253 Vlan30       10.255.212.2     Vlan40       10.255.111.2
S3	Vlan10      Vlan20    10.1.1.100
S5	Loop0     100.1.1.100     Vlan10    100.1.1.254      Vlan30    100.1.3.254

PS：所有的设备信息收集在下一篇文章。